Make SSL fn's shared betw'n ssl_tls.c and ssl_msg.c public-internal

This commit makes some SSL functions public-internal -- moving them to to the mbedtls_ namespace but declaring them within ssl_internal.h -- which a currently shared between the SSL logic layer implementation in ssl_tls.c and the SSL messaging layer implementation in ssl_msg.c
2025-07-10 15:47:24 +00:00 · 2020-01-31 13:56:39 +00:00 · 2020-01-31 13:56:39 +00:00 · f626b03810
parent 2389171035
commit f626b03810
3 changed files with 98 additions and 74 deletions
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -1063,7 +1063,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
                             mbedtls_record *rec );
 /* Length of the "epoch" field in the record header */
-static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
+static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
 {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
@ -1074,4 +1074,31 @@ static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
    return( 0 );
 }
 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
                              mbedtls_ssl_transform *transform );
 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
 #endif
 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
 size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 #endif /* ssl_internal.h */
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -67,16 +67,11 @@
 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
 static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
 static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
                                     mbedtls_ssl_transform *transform );
 static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
 /*
 * Start a timer.
 * Passing millisecs = 0 cancels a running timer.
 */
-static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
+void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
 {
    if( ssl->f_set_timer == NULL )
        return;
@ -88,7 +83,7 @@ static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
 /*
 * Return -1 is timer is expired, 0 if it isn't.
 */
-static int ssl_check_timer( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
 {
    if( ssl->f_get_timer == NULL )
        return( 0 );
@ -171,7 +166,6 @@ exit:
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 /* Forward declarations for functions related to message buffering. */
 static void ssl_buffering_free( mbedtls_ssl_context *ssl );
 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
                                     uint8_t slot );
 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
@ -181,11 +175,10 @@ static int ssl_buffer_message( mbedtls_ssl_context *ssl );
 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
                                     mbedtls_record const *rec );
 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
 static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
 static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
 {
-    size_t mtu = ssl_get_current_mtu( ssl );
+    size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
    if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
        return( mtu );
@ -1732,7 +1725,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
         * This avoids by-passing the timer when repeatedly receiving messages
         * that will end up being dropped.
         */
-        if( ssl_check_timer( ssl ) != 0 )
+        if( mbedtls_ssl_check_timer( ssl ) != 0 )
        {
            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
            ret = MBEDTLS_ERR_SSL_TIMEOUT;
@ -1763,7 +1756,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
        if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
        {
            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
-            ssl_set_timer( ssl, 0 );
+            mbedtls_ssl_set_timer( ssl, 0 );
            if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
            {
@ -1785,9 +1778,10 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
            else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
                     ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
            {
-                if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+                if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
                {
-                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
                                           ret );
                    return( ret );
                }
@ -1811,7 +1805,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
        {
            len = nb_want - ssl->in_left;
-            if( ssl_check_timer( ssl ) != 0 )
+            if( mbedtls_ssl_check_timer( ssl ) != 0 )
                ret = MBEDTLS_ERR_SSL_TIMEOUT;
            else
            {
@ -1913,7 +1907,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
    {
        ssl->out_hdr = ssl->out_buf + 8;
    }
-    ssl_update_out_pointers( ssl, ssl->transform_out );
+    mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
@ -1973,7 +1967,7 @@ static int ssl_flight_append( mbedtls_ssl_context *ssl )
 /*
 * Free the current flight of handshake messages
 */
-static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
+void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
 {
    mbedtls_ssl_flight_item *cur = flight;
    mbedtls_ssl_flight_item *next;
@ -2016,7 +2010,7 @@ static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
    memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8 );
    /* Adjust to the newly activated transform */
-    ssl_update_out_pointers( ssl, ssl->transform_out );
+    mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
    if( mbedtls_ssl_hw_record_activate != NULL )
@ -2199,7 +2193,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
    else
    {
        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
-        ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+        mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
    }
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
@ -2213,7 +2207,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
 {
    /* We won't need to resend that one any more */
-    ssl_flight_free( ssl->handshake->flight );
+    mbedtls_ssl_flight_free( ssl->handshake->flight );
    ssl->handshake->flight = NULL;
    ssl->handshake->cur_msg = NULL;
@ -2224,10 +2218,10 @@ void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
    ssl->handshake->buffering.seen_ccs = 0;
    /* Clear future message buffering structure. */
-    ssl_buffering_free( ssl );
+    mbedtls_ssl_buffering_free( ssl );
    /* Cancel timer */
-    ssl_set_timer( ssl, 0 );
+    mbedtls_ssl_set_timer( ssl, 0 );
    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
@ -2244,7 +2238,7 @@ void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
 {
    ssl_reset_retransmit_timeout( ssl );
-    ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+    mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
@ -2570,14 +2564,14 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
        ssl->out_left += protected_record_size;
        ssl->out_hdr  += protected_record_size;
-        ssl_update_out_pointers( ssl, ssl->transform_out );
+        mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
-        for( i = 8; i > ssl_ep_len( ssl ); i-- )
+        for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
            if( ++ssl->cur_out_ctr[i - 1] != 0 )
                break;
        /* The loop goes to its end iff the counter is wrapping */
-        if( i == ssl_ep_len( ssl ) )
+        if( i == mbedtls_ssl_ep_len( ssl ) )
        {
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
@ -2897,7 +2891,7 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
 * not seen yet).
 */
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
+void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
 {
    ssl->in_window_top = 0;
    ssl->in_window = 0;
@ -3171,7 +3165,7 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
    if( ret == 0 )
    {
        /* Got a valid cookie, partially reset context */
-        if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
+        if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
        {
            MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
            return( ret );
@ -3588,12 +3582,12 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
 #endif
        {
            unsigned i;
-            for( i = 8; i > ssl_ep_len( ssl ); i-- )
+            for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
                if( ++ssl->in_ctr[i - 1] != 0 )
                    break;
            /* The loop goes to its end iff the counter is wrapping */
-            if( i == ssl_ep_len( ssl ) )
+            if( i == mbedtls_ssl_ep_len( ssl ) )
            {
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
                return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
@ -4329,7 +4323,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
                /* Reset in pointers to default state for TLS/DTLS records,
                 * assuming no CID and no offset between record content and
                 * record plaintext. */
-                ssl_update_in_pointers( ssl );
+                mbedtls_ssl_update_in_pointers( ssl );
                /* Setup internal message pointers from record structure. */
                ssl->in_msgtype = rec.type;
@ -4466,7 +4460,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
    /* Reset in pointers to default state for TLS/DTLS records,
     * assuming no CID and no offset between record content and
     * record plaintext. */
-    ssl_update_in_pointers( ssl );
+    mbedtls_ssl_update_in_pointers( ssl );
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
    ssl->in_len = ssl->in_cid + rec.cid_len;
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
@ -4634,7 +4628,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
        if( ssl->handshake != NULL &&
            ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER  )
        {
-            ssl_handshake_wrapup_free_hs_transform( ssl );
+            mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
        }
    }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
@ -4734,7 +4728,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
    {
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-        ssl_dtls_replay_reset( ssl );
+        mbedtls_ssl_dtls_replay_reset( ssl );
 #endif
        /* Increment epoch */
@ -4750,7 +4744,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
    memset( ssl->in_ctr, 0, 8 );
-    ssl_update_in_pointers( ssl );
+    mbedtls_ssl_update_in_pointers( ssl );
 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
    if( mbedtls_ssl_hw_record_activate != NULL )
@ -4780,7 +4774,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
 *       and the caller has to make sure there's space for this.
 */
-static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
+void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
 {
    /* Set the incoming and outgoing record pointers. */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
@ -4797,12 +4791,12 @@ static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
    }
    /* Derive other internal pointers. */
-    ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
+    mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
-    ssl_update_in_pointers ( ssl );
+    mbedtls_ssl_update_in_pointers ( ssl );
 }
-static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
+void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
-                                     mbedtls_ssl_transform *transform )
+                                      mbedtls_ssl_transform *transform )
 {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
@ -4847,7 +4841,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
 *       and the caller has to make sure there's space for this.
 */
-static void ssl_update_in_pointers( mbedtls_ssl_context *ssl )
+void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
 {
    /* This function sets the pointers to match the case
     * of unprotected TLS/DTLS records, with both  ssl->in_iv
@ -5046,7 +5040,7 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
-static void ssl_buffering_free( mbedtls_ssl_context *ssl )
+void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
 {
    unsigned offset;
    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
@ -5139,7 +5133,7 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport,
 */
 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
 {
-    size_t ep_len = ssl_ep_len( ssl );
+    size_t ep_len = mbedtls_ssl_ep_len( ssl );
    int in_ctr_cmp;
    int out_ctr_cmp;
@ -5233,7 +5227,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
        if( ssl->f_get_timer != NULL &&
            ssl->f_get_timer( ssl->p_timer ) == -1 )
        {
-            ssl_set_timer( ssl, ssl->conf->read_timeout );
+            mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
        }
        if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
@ -5325,11 +5319,12 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
                    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
                }
 #endif
-                ret = ssl_start_renegotiation( ssl );
+                ret = mbedtls_ssl_start_renegotiation( ssl );
                if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
                    ret != 0 )
                {
-                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
                                           ret );
                    return( ret );
                }
            }
@ -5426,7 +5421,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
        /* We're going to return something now, cancel timer,
         * except if handshake (renegotiation) is in progress */
        if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
-            ssl_set_timer( ssl, 0 );
+            mbedtls_ssl_set_timer( ssl, 0 );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
        /* If we requested renego but received AppData, resend HelloRequest.
@ -5436,9 +5431,10 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
            ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
        {
-            if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+            if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
            {
-                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request",
                                       ret );
                return( ret );
            }
        }
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1992,7 +1992,7 @@ static void ssl_mac( mbedtls_md_context_t *md_ctx,
 static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
-static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl )
 {
    /* If renegotiation is not enforced, retransmit until we would reach max
     * timeout if we were using the usual handshake doubling scheme */
@ -3285,7 +3285,7 @@ static void ssl_calc_finished_tls_sha384(
 #endif /* MBEDTLS_SHA512_C */
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
+void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
 {
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
@ -3357,7 +3357,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
        ssl->handshake->flight != NULL )
    {
        /* Cancel handshake timer */
-        ssl_set_timer( ssl, 0 );
+        mbedtls_ssl_set_timer( ssl, 0 );
        /* Keep last flight around in case we need to resend it:
         * we need the handshake and transform structures for that */
@ -3365,7 +3365,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
    }
    else
 #endif
-        ssl_handshake_wrapup_free_hs_transform( ssl );
+        mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
    ssl->state++;
@ -3378,7 +3378,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
-    ssl_update_out_pointers( ssl, ssl->transform_negotiate );
+    mbedtls_ssl_update_out_pointers( ssl, ssl->transform_negotiate );
    ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
@ -3722,7 +3722,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
        else
            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
-        ssl_set_timer( ssl, 0 );
+        mbedtls_ssl_set_timer( ssl, 0 );
    }
 #endif
@ -3801,7 +3801,7 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
        goto error;
    }
-    ssl_reset_in_out_pointers( ssl );
+    mbedtls_ssl_reset_in_out_pointers( ssl );
    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
        goto error;
@ -3839,7 +3839,7 @@ error:
 * If partial is non-zero, keep data in the input buffer and client ID.
 * (Use when a DTLS client reconnects from the same port.)
 */
-static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
+int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3851,7 +3851,7 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
    /* Cancel any possibly running timer */
-    ssl_set_timer( ssl, 0 );
+    mbedtls_ssl_set_timer( ssl, 0 );
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
    ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
@ -3864,7 +3864,7 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
    ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
    ssl->in_offt = NULL;
-    ssl_reset_in_out_pointers( ssl );
+    mbedtls_ssl_reset_in_out_pointers( ssl );
    ssl->in_msgtype = 0;
    ssl->in_msglen = 0;
@ -3873,7 +3873,7 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
    ssl->in_epoch = 0;
 #endif
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-    ssl_dtls_replay_reset( ssl );
+    mbedtls_ssl_dtls_replay_reset( ssl );
 #endif
    ssl->in_hslen = 0;
@ -3960,7 +3960,7 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
 */
 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
 {
-    return( ssl_session_reset_int( ssl, 0 ) );
+    return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
 }
 /*
@ -4071,7 +4071,7 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
    ssl->f_get_timer    = f_get_timer;
    /* Make sure we start with no timer running */
-    ssl_set_timer( ssl, 0 );
+    mbedtls_ssl_set_timer( ssl, 0 );
 }
 #if defined(MBEDTLS_SSL_SRV_C)
@ -4878,7 +4878,7 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
-static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
+size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
 {
    /* Return unlimited mtu for client hello messages to avoid fragmentation. */
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
@ -4914,9 +4914,9 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
 #endif
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if( ssl_get_current_mtu( ssl ) != 0 )
+    if( mbedtls_ssl_get_current_mtu( ssl ) != 0 )
    {
-        const size_t mtu = ssl_get_current_mtu( ssl );
+        const size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
        const int ret = mbedtls_ssl_get_record_expansion( ssl );
        const size_t overhead = (size_t) ret;
@ -5622,7 +5622,7 @@ static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
 * If the handshake doesn't complete due to waiting for I/O, it will continue
 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
 */
-static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -5852,8 +5852,8 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    mbedtls_free( handshake->verify_cookie );
-    ssl_flight_free( handshake->flight );
+    mbedtls_ssl_flight_free( handshake->flight );
-    ssl_buffering_free( ssl );
+    mbedtls_ssl_buffering_free( ssl );
 #endif
 #if defined(MBEDTLS_ECDH_C) &&                  \
@ -6199,7 +6199,7 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
    MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
-    return( ssl_session_reset_int( ssl, 0 ) );
+    return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
 }
 /*
@ -6296,7 +6296,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    p += 4;
    /* This has been allocated by ssl_handshake_init(), called by
-     * by either ssl_session_reset_int() or mbedtls_ssl_setup(). */
+     * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
    ssl->session = ssl->session_negotiate;
    ssl->session_in = ssl->session;
    ssl->session_out = ssl->session;
@ -6319,7 +6319,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
     */
    /* This has been allocated by ssl_handshake_init(), called by
-     * by either ssl_session_reset_int() or mbedtls_ssl_setup(). */
+     * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
    ssl->transform = ssl->transform_negotiate;
    ssl->transform_in = ssl->transform;
    ssl->transform_out = ssl->transform;
@ -6480,7 +6480,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    /* Adjust pointers for header fields of outgoing records to
     * the given transform, accounting for explicit IV and CID. */
-    ssl_update_out_pointers( ssl, ssl->transform );
+    mbedtls_ssl_update_out_pointers( ssl, ssl->transform );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    ssl->in_epoch = 1;
@ -6488,7 +6488,8 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
    /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
     * which we don't want - otherwise we'd end up freeing the wrong transform
-     * by calling ssl_handshake_wrapup_free_hs_transform() inappropriately. */
+     * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
     * inappropriately. */
    if( ssl->handshake != NULL )
    {
        mbedtls_ssl_handshake_free( ssl );